Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249774 (CVE-2008-2379) - mail-client/squirrelmail <1.4.17: cross site scripting vulnerability (CVE-2008-2379)
Summary: mail-client/squirrelmail <1.4.17: cross site scripting vulnerability (CVE-200...
Status: RESOLVED FIXED
Alias: CVE-2008-2379
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/project/showno...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-04 09:45 UTC by Timo
Modified: 2009-01-10 10:41 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Timo 2008-12-04 09:45:42 UTC 
Cite from Paul Lesniewski e-mail:

The SquirrelMail team is happy to announce the release of version 1.4.17.  The
most notable change is a security fix that prevents certain specially-crafted
hyperlinks within messages from executing cross-site scripting attacks.  For
other details, see the ReleaseNotes file included in this release.  We advise
all users of SquirrelMail software to upgrade.

---

Cite from the ReleaseNotes File:

Security issue
==============

An issue was fixed that allowed an attacker to send specially-
crafted hyperlinks in a message that could execute cross-site
scripting (XSS) when the user viewed the message in SquirrelMail.

We would like to thank Secunia Research for reporting this issue
to us. It is tracked as CVE-2008-2379.

Reproducible: Always
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2008-12-05 20:32:41 UTC 
1.4.17 is in CVS.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2008-12-06 02:24:03 UTC 
CVE-2008-2379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2379):
  Cross-site scripting (XSS) vulnerability in SquirrelMail before
  1.4.17 allows remote attackers to inject arbitrary web script or HTML
  via a crafted hyperlink in an HTML part of an e-mail message.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:08:30 UTC 
Arches, please test and mark stable:
Package: '=mail-client/squirrelmail-1.4.17'
Keywords: "alpha amd64 ppc ppc64 sparc x86"
Comment 4 Ferris McCormick (RETIRED) gentoo-dev 2009-01-06 13:58:50 UTC 
Sparc stable.
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-01-06 15:56:03 UTC 
ppc64 done
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-06 16:55:52 UTC 
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-01-07 18:33:51 UTC 
alpha/x86 stable
Comment 8 Richard Freeman gentoo-dev 2009-01-09 21:36:38 UTC 
amd64 stable
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 00:33:11 UTC 
Thanks!
Ready to vote, I vote NO.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-01-10 10:41:10 UTC 
No too, closing.